How to Protect Your Organization’s Network from Rogue Employees

The recent audit report that a U.S. government network was infected by a malicious software (malware) as a result of a federal employee’s “extensive history” of visiting porn sites using his work computer highlights the importance of protecting your organization’s network from rogue employees.

An audit conducted by the Office of lnspector General (OIG)of the U.S. Department of the Interior found that the network of the U.S. Geological Survey’s Earth Resources Observation and Science Center satellite imaging facility in South Dakota was infected with a malware as a result of the unauthorized actions of the center’s employee, visiting more than 9,000 pornographic web pages. Pornographic images from these web pages were subsequently downloaded to a personal USB device and cellphone connected to the government-issued computer.

According to the OIG, these pornographic web pages contained malware. The government body defined a malware as a “rogue software that is intended to damage or disable computers and computer systems”. The common goal of malware, the government body said, is to “steal confidential information while spreading to other systems”.

Two security vulnerabilities were identified by OIG in the affected government network: unauthorized website access and open USB ports. The U.S. Government, in particular, the Department of the Interior, has in place “IT Rules of Behavior” that prohibit employees of using government computer systems for illegal or inappropriate activities, including visiting pornographic websites. The IT Rules of Behavior also prohibit employees from connecting personal devices, such as USB devices and cellphones to government-issued computers.

The said rogue employee attended the department’s annual IT security training, signed a document indicating that he understood the IT Rules of Behavior and agreed to abide by them.

Prevention

Here are some cybersecurity measures in order to protect your organization’s network from rogue employees:

• Regularly monitor employee web usage history. By monitoring web usage history, your organization will be informed whether the sites visited are safe or not.

• Enforce a blacklist policy of known Uniform Resource Locators, commonly known as URLs or web addresses.

• Deploy enhanced intrusion detection systems and firewall technology to prevent and detect websites laden with malware programs that are trying to communicate with your organization’s network. Pornographic websites should be blocked as many of these sites host malware that can infect your organization’s network.

• Restrict connection of removable media and personally owned mobile devices to company-issued computers or devices.

• Provide regular awareness training to your employees

• Develop and enforce strong IT policies for employees

Repercussions of Rogue Employees’ Actions

The recent court ruling in the case of UK supermarket giant Morrisons highlights the repercussions of rogue employees’ actions. 

Last month, the UK Court of Appeal upheld a decision of the lower court finding Morrisons liable in damages for the actions of its rogue employee.

In July 2015, Andrew Skelton, senior IT internal auditor employed by Morrisons, was found guilty and sentenced to 8 years imprisonment for the unauthorized posting of the payroll data of nearly 100,000 Morrisons’ employees on a public file sharing website.

The payroll data publicly disclosed by Skelton includes names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and the salary of the Morrisons’ employees.

After the conviction of Skelton, 5,518 current and former employees of Morrisons filed a class action for damages and interest for misuse of private information, breach of confidence and breach of statutory duty against Morrisons. The claimants argued that Morrisons is primarily liable for the wrongful conduct of Skelton. The company denied all liability.

The lower court judge ruled that Morrisons is “vicariously liable” for the wrongful act of Skelton against the claimants as there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct. This judgment by the lower court was upheld by the Court of Appeal.

Vicarious liability is a common law principle that imposes liability on employers for the wrongful acts of their employees provided that it can be shown that these wrongful acts took place in the course of their employment.

Court data shows that prior to the unauthorized payroll data disclosure, Skelton was given a formal verbal warning by the company after a disciplinary hearing involving his unauthorized use of Morrisons’ postal facilities for his private purposes. This left Skelton with a grudge against Morrisons, the court said. The court added that Skelton got hold of the payroll data when a Morrisons’ external auditor gave the data to him. Skelton then copied at work the data into his personal USB.

Morrisons said it will appeal the decision of the Court of Appeal to the Supreme Court.

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues,” Morrisons said in a statement. “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”

In Canada, Canadian courts haven’t yet directly ruled on the issue of whether vicarious liability may be applied to employers in respect of the data breaches done by their employees. What is clear is that under Canada’s Digital Privacy Act, starting this month, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” any data breach that poses a “real risk of significant harm” to any individual.

While your organization understands the risks, our experts can help you develop a strategy and implement the necessary IT security controls to avoid significant losses. Contact us today at (416) 920-3000to better protect your data.